Retrieves an access token.

Unless otherwise noted, this method must be called before any any other web service function, as the Authorization header value is required to call most methods. A successful transaction will receive a 200 status code.

POST /Token { "grant_type": "client_credentials", "client_id": "{email/username}", "client_secret": "{password}" }

POST /Token { "grant_type": "refresh_token", "refresh_token": "{refresh token}", }

POST /Token { "grant_type": "authorization_code", "code": "{authorization code}", "resource_type": "{resource type}" }

POST /Token { "mfa_method": "Email or Auth", "mfa_token": "{mfa token from challenge endpoint}", "user_token": "{user token from challenge}", "otp":"{otp received within email}", "grant_type":"mfa_otp" } POST /Token { "grant_type": "authorization_code", "code": " Access Token from okta ", "resource_type": "okta" }

HTTP Status Code 400 Error Codes (error property):

InvalidGrantType - Invalid grant type.

InvalidResourceType - Invalid resource type.

InvalidRequest - The request is invalid.

IdTokenInvalid - Invalid id token.

HTTP Status Code 401 Error Codes (error property):

InvalidCredentials - Invalid credentials.

AccountUnverified - User account has not been verified.

IpRestriction - User's location is restricted by IP address. The IP address of the user's current location is invalid.

PasswordExpired - Password expired. The user must change their password.

AccountDisabled - Account is disabled.

AccountLockedOut - Too many invalid login attempts. The account has been disabled.

RefreshTokenInvalid - Invalid refresh token or expired.

IdTokenInvalid - Invalid id token.

MFARequired - MFA Required. To MFA via email, call the /token/challenge (POST) endpoint to continue. To MFA via Authenticator app, call this endpoint again (MFA Example above).